MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/pify?keyword=joseph+coat+of+many+colors+template'. This indicates an attempt to direct users to malicious infrastructure. Additionally, the PDF exhibits characteristics of a link farm, with numerous embedded URLs, many of which point to Shopify domains hosting other PDFs, suggesting a coordinated effort to distribute content or traffic. The document body, though heavily obfuscated, contains the same redirector URL and other embedded URLs, reinforcing the malicious intent.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/pify?keyword=joseph+coat+of+many+colors+template
- http://xawugera.farmcounty.com/uploads/1/3/1/4/131408100/gawagusizu_kidemafixozuj_tafotavobuxiv.pdf
- http://dukeguza.jadeguasha.shop/uploads/1/3/0/7/130738731/0353a54140.pdf
- http://roxog.cakesforeveryoccasion.co.uk/uploads/1/3/1/3/131379326/sekali-topavipe-zubana.pdf
- http://files.cubatrips.ca/uploads/1/3/2/6/132681812/88e7fedc.pdf
- https://cdn.shopify.com/s/files/1/0432/3305/0779/files/zerozulilowej.pdf
- https://cdn.shopify.com/s/files/1/0430/7920/5031/files/65683512212.pdf
- https://cdn.shopify.com/s/files/1/0430/5669/3397/files/86893445185.pdf
- https://cdn.shopify.com/s/files/1/0433/0668/0484/files/cambridge_igcse_first_language_english_coursebook_third_edition_answers.pdf
- https://cdn.shopify.com/s/files/1/0433/6582/6719/files/83838017852.pdf
- https://cdn.shopify.com/s/files/1/0430/6888/3098/files/teragavujulusoxapaso.pdf
- https://cdn.shopify.com/s/files/1/0431/5679/9647/files/sukakiwovotaxelexabexatoj.pdf
- https://cdn.shopify.com/s/files/1/0440/7921/8840/files/77170701541.pdf
- https://cdn.shopify.com/s/files/1/0434/0629/5201/files/nusopi.pdf
- https://cdn.shopify.com/s/files/1/0437/9725/0210/files/predator_228_manual.pdf
- https://cdn.shopify.com/s/files/1/0429/5429/3402/files/88457978498.pdf
- https://cdn.shopify.com/s/files/1/0429/4544/6044/files/divuzegerilitozin.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000060f6.bin37179122eb493c4b3de898e632c02fae95fabcc267775d9cb47a2b86a367ca0d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x60F6 | 5084 bytes |
font_01_sfnt_off0000721b.bin66408a5643a81c8b92f47281c9e47f53b27d3c6ab7a32af52051298e911369e6 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x721B | 9896 bytes |
font_02_sfnt_off0000941c.bina542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x941C | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.